With the second wave of the COVID -19 pandemic sweeping across India like other nations around the world, an increasingly large number of people have adopted the digital medium to communicate with Whatsapp leading the race for being their favorite mode of communication.
But what happens when users are unable to access the application itself? How do they communicate or carry out their day-to-day functions which they had been doing easily with the help of Whatsapp?
What Transpired?
Recently, a vulnerability has been discovered in Whatsapp security that could allow a third person to restrict a valid user from accessing their registered Whatsapp account.
According to researchers, this vulnerability has existed and been part of the messaging application for a long time now. Furthermore, they state that not only does this vulnerability restrict a user from accessing their accounts but also restricts them from re-activating the account even if they have employed two-factor authentication.
The vulnerability exists according to two fundamental weaknesses that allow the attackers to enter a user’s phone number on a Whatsapp installation on a handheld Smartphone they possess and use a selected user’s number to proceed with the sign-in process. This process won’t give the attacker access to the six-digit verification code, since it will be sent directly to the user’s phone number. However, the attacker can repeatedly enter a wrong security code to lock the user out of their Whatsapp account for a time period of 12-hours.
This would give room for the attacker to exploit the second fundamental flaw and contact the customer care of the application where the executives may ask for the user’s number for permanent deactivation.
All the attacker needs to accomplish is convince Whatsapp that the user’s number actually belongs to him by writing an email stating that they have lost possession of their phone or it has been stolen.
What happens next?
Using the above loophole, the attackers will be able to deactivate a given user’s Whatsapp account and it would appear as if WhatsApp has locked out the user for repeatedly trying to sign in to their own account.
By exploiting the above-mentioned loophole, the attacker will make the valid user look like an attacker trying to get access to a valid user’s account.
What can be done to prevent such an attack?
Our internal experts suggest users of Whatsapp can be protected from this kind of attack by linking their e-mail to their Whatsapp accounts since Whatsapp hasn’t mentioned if they will be working on fixing this loophole.
To read more, please check eScan Blog
